• Subscribe to the low volume list for updates.

Another mass hack – MSSQL injection compromises 500’000+ web sites

A simple SQL injection has resulted in more than 500'000 websites being compromised with a javascript include that sends visitors to the hacked websites to other sites containing malware that attempts to infect the client.

Yet another example of simple security errors resulting in mass hacks of websites that whose ultimate purpose is the installation of trojans onto end user machines. The trojans can then be used in bot armies or for collection of data, passwords, financial accounts from keys stroke loggers.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

F-Secure Details of the hack
Sans Article